User Profile
BillTheKid
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Defender for Identity - Streaming of events possible?
Hello! In Defender for Endpoint events can be forwarded through Azure Event hubs or Azure storage (see link). How do I archieve the same functionality through Defender for Identity? Particular I am interesting in the following tables: IdentityQueryEvents (DC DNS events) IdentityDirectoryEvents (DC events) I could not find such data-export functionality in the Azure-ATP portal. Additionally I've enabled telemetry data-sharing between Defender for Endpoint and Defender for Identity, so I can access the schema tables from Microsoft 365 security (central portal) but still even I cannot use the internal Defender-ATP data-exporter to enable/click forwarding for these data tables. The current CEF exporter for Defender for Identity (see link) in CEF-format only gives alerts and some additional test-messages. Couldn't find the raw events here too. So how do I forward all Defender for Identity raw data to an Azure Hub/Azure storage so e.g. Advanced Hunting of that data is possible in third party SIEM? Related MS-Blog for hunting in Azure-ATP data via KQL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-for-threats-using-events-captured-by-azure-atp-on-your/ba-p/1598212 Regards from Germany BillSolved2.7KViews0likes3Comments